Overview

Intrusion detection systems (IDS) have been considered the next lethal weapon in Internet security against the dark side.  However, no victory has been won, and IDS systems have mostly been used as experiments rather than as critical components in network security systems.  The disappointing result of IDS is due to immaturity of the products on the market.  In particular, the effectiveness of such systems highly relies on time-consuming configuration management and event analysis by highly skilled personnel.  Otherwise, the systems are doomed useless.

Xag is a suite of IDS management system in conjunction with Snort sensor appliances developed by Xana to address the deficiencies in current systems.  It is a manager for the popular Snort sensors.  It provides operators easy to use configuration and event viewing interfaces, eliminates repetitive work, and drastically increases the efficiency in configuration and event management.  It is ideal for large-scale deployment.

Specification

An IDS using Xag consists of several Snort IDS sensors with a Xag agent running on each sensor, a MySQL database where the events are fed and configurations are stored, a Xag server, and Xag managers on the operators’ workstation.  The manager interface configures the sensors’ configuration and stores it in the database.  A separate window manages the events.

 The agent residing on the sensor host periodically checks the database for new configuration update.  When a configuration update is found, the agent retrieves the new configuration and re-starts the Snort sensor process to use the new configuration.  The server is the inter-mediator among the agents, managers and the database.  Further the server handles the event forwarding.

The configuration manager graphic user interface allows configuration of any Snort items:

• signature rules using alert or log

• preprocessor configuration

• variable definition

• miscellaneous entry definition